WebKit Same‑Origin Bypass (CVE‑2026‑20643) Enables Cross‑Origin Attacks on iOS, iPadOS, macOS
What It Is — Apple’s WebKit Navigation API contains a cross‑origin flaw that allows malicious web content to bypass the Same‑Origin Policy, potentially letting attackers read or manipulate data from other origins.
Exploitability — No public PoC has been released, but the vulnerability is trivial to weaponize in a malicious webpage; Apple issued an emergency patch, indicating high‑risk potential. CVSS score not assigned (N/A).
Affected Products — WebKit engine shipped with iOS 16+, iPadOS 16+, and macOS 13+ (including Safari and any WebKit‑based browsers).
TPRM Impact — Any third‑party that relies on Apple devices for employee workstations, mobile workforce, or customer‑facing apps inherits this risk. A supply‑chain breach could expose data across multiple industries that use Apple hardware.
Recommended Actions —
- Verify that all Apple devices have installed the March 2026 security update (WebKit CVE‑2026‑20643).
- Enforce browser‑level content‑security policies (CSP) on internal web applications to mitigate same‑origin bypass attempts.
- Conduct a rapid assessment of any third‑party SaaS solutions that embed WebKit (e.g., hybrid apps) for residual risk.
- Update your TPRM vendor questionnaire to include “WebKit security patch status” for Apple‑based providers.